view release on metacpan or  search on metacpan

libsecp256k1/include/secp256k1_musig.h  view on Meta::CPAN

 *
 *  This function is required if you want to _sign_ for a tweaked aggregate key.
 *  If you are only computing a public key but not intending to create a
 *  signature for it, use `secp256k1_xonly_pubkey_tweak_add` instead.
 *
 *  Returns: 0 if the arguments are invalid, 1 otherwise
 *  Args:            ctx: pointer to a context object
 *  Out:   output_pubkey: pointer to a public key to store the result. Will be set
 *                        to an invalid value if this function returns 0. If you
 *                        do not need it, this arg can be NULL.
 *  In/Out: keyagg_cache: pointer to a `musig_keyagg_cache` struct initialized by
 *                       `musig_pubkey_agg`
 *  In:          tweak32: pointer to a 32-byte tweak. The tweak is valid if it passes
 *                        `secp256k1_ec_seckey_verify` and is not equal to the
 *                        secret key corresponding to the public key represented
 *                        by keyagg_cache or its negation. For uniformly random
 *                        32-byte arrays the chance of being invalid is
 *                        negligible (around 1 in 2^128).
 */
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_xonly_tweak_add(
    const secp256k1_context *ctx,
    secp256k1_pubkey *output_pubkey,
    secp256k1_musig_keyagg_cache *keyagg_cache,
    const unsigned char *tweak32
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

/** Starts a signing session by generating a nonce
 *
 *  This function outputs a secret nonce that will be required for signing and a
 *  corresponding public nonce that is intended to be sent to other signers.
 *
 *  MuSig differs from regular Schnorr signing in that implementers _must_ take
 *  special care to not reuse a nonce. This can be ensured by following these rules:
 *
 *  1. Each call to this function must have a UNIQUE session_secrand32 that must
 *     NOT BE REUSED in subsequent calls to this function and must be KEPT
 *     SECRET (even from other signers).
 *  2. If you already know the seckey, message or aggregate public key
 *     cache, they can be optionally provided to derive the nonce and increase
 *     misuse-resistance. The extra_input32 argument can be used to provide
 *     additional data that does not repeat in normal scenarios, such as the
 *     current time.
 *  3. Avoid copying (or serializing) the secnonce. This reduces the possibility
 *     that it is used more than once for signing.
 *
 *  If you don't have access to good randomness for session_secrand32, but you
 *  have access to a non-repeating counter, then see
 *  secp256k1_musig_nonce_gen_counter.
 *
 *  Remember that nonce reuse will leak the secret key!
 *  Note that using the same seckey for multiple MuSig sessions is fine.
 *
 *  Returns: 0 if the arguments are invalid and 1 otherwise
 *  Args:         ctx: pointer to a context object (not secp256k1_context_static)
 *  Out:     secnonce: pointer to a structure to store the secret nonce
 *           pubnonce: pointer to a structure to store the public nonce
 *  In/Out:
 *  session_secrand32: a 32-byte session_secrand32 as explained above. Must be unique to this
 *                     call to secp256k1_musig_nonce_gen and must be uniformly
 *                     random. If the function call is successful, the
 *                     session_secrand32 buffer is invalidated to prevent reuse.
 *  In:
 *             seckey: the 32-byte secret key that will later be used for signing, if
 *                     already known (can be NULL)
 *             pubkey: public key of the signer creating the nonce. The secnonce
 *                     output of this function cannot be used to sign for any
 *                     other public key. While the public key should correspond
 *                     to the provided seckey, a mismatch will not cause the
 *                     function to return 0.
 *              msg32: the 32-byte message that will later be signed, if already known
 *                     (can be NULL)
 *       keyagg_cache: pointer to the keyagg_cache that was used to create the aggregate
 *                     (and potentially tweaked) public key if already known
 *                     (can be NULL)
 *      extra_input32: an optional 32-byte array that is input to the nonce
 *                     derivation function (can be NULL)
 */
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_nonce_gen(
    const secp256k1_context *ctx,
    secp256k1_musig_secnonce *secnonce,
    secp256k1_musig_pubnonce *pubnonce,
    unsigned char *session_secrand32,
    const unsigned char *seckey,
    const secp256k1_pubkey *pubkey,
    const unsigned char *msg32,
    const secp256k1_musig_keyagg_cache *keyagg_cache,
    const unsigned char *extra_input32
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6);


/** Alternative way to generate a nonce and start a signing session
 *
 *  This function outputs a secret nonce that will be required for signing and a
 *  corresponding public nonce that is intended to be sent to other signers.
 *
 *  This function differs from `secp256k1_musig_nonce_gen` by accepting a
 *  non-repeating counter value instead of a secret random value. This requires
 *  that a secret key is provided to `secp256k1_musig_nonce_gen_counter`
 *  (through the keypair argument), as opposed to `secp256k1_musig_nonce_gen`
 *  where the seckey argument is optional.
 *
 *  MuSig differs from regular Schnorr signing in that implementers _must_ take
 *  special care to not reuse a nonce. This can be ensured by following these rules:
 *
 *  1. The nonrepeating_cnt argument must be a counter value that never repeats,
 *     i.e., you must never call `secp256k1_musig_nonce_gen_counter` twice with
 *     the same keypair and nonrepeating_cnt value. For example, this implies
 *     that if the same keypair is used with `secp256k1_musig_nonce_gen_counter`
 *     on multiple devices, none of the devices should have the same counter
 *     value as any other device.
 *  2. If the seckey, message or aggregate public key cache is already available
 *     at this stage, any of these can be optionally provided, in which case
 *     they will be used in the derivation of the nonce and increase
 *     misuse-resistance. The extra_input32 argument can be used to provide
 *     additional data that does not repeat in normal scenarios, such as the
 *     current time.
 *  3. Avoid copying (or serializing) the secnonce. This reduces the possibility
 *     that it is used more than once for signing.
 *
 *  Remember that nonce reuse will leak the secret key!
 *  Note that using the same keypair for multiple MuSig sessions is fine.